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Title; 

Mechanism for securing reliable evidence from computers and listening devices 
Technical Field 

This invention relates to methods and apparatus for securing and preserving evidence 
from computers and listening devices in a form which eliminates or reduces the need 
for corroborative or supporting evidence regarding the circumstances of the making 
of the recording. 

Background 

Throughout the history of computing it has been known that evidence from 
computers has been modifiable in most cases without trace. Modification and 
fabrication of computer evidence has led to serious problems in the investigation and 
prosecution of computer crimes, in the management of computer security, in the 
keeping of business records in accordance with the security provisions of the 
Companies Acts and in the cost of litigation where evidence has been derived from 
computers. 

In criminal investigations the reliability of evidence from computers has had to he 
secured by complex administrative procedures ("bagging and tagging") when freezing 
computer evidence at the scene of an alleged crime together with the use of image 
copying equipment to take bit image copies of suspected computer systems. Police 
officers and computer staff have had to give detailed evidence regarding how they 
secured computer systems and preserved the computer evidence. In managing 
computer security there have been cases where it has been difficult or impossible to 
show precisely what data or programs were on particular computer systems at 
particular 

times. In the keeping of business records there have been concerns about the 
conversion of paper records into document image copies and their subsequent 
reliability as contemporaneous evidence. One security concern has been the fact that 
a document image copy can be used to create modified versions of itself which 
cannot be shown to be forgeries without a veiy expensive forensic examination being 
undertaken - and sometimes with it being impossible to prove that the document 
image is an unmodified original. Consequently expensive administrative controls 
regarding the storage of document image copies are necessary to maintain adequate 
security. 

Additionally police and security services have made greater use of listening devices 
under warrant for the monitoring of suspected criminals. Currently under UK 
legislation the evidence from such listening devices can only be used for intelligence 
gathering purposes and cannot be tendered in evidence in civil or criminal trials. This 
situation is presently under review and it is anticipated that UK law will be changed 
to allow for evidence from listening devices under warrant to be admissible in civil 
and criminal trials in certain circumstances. Concern has been expressed regarding 
the need for security services personnel to testify regarding the planting of listening 



devices and their compliance with administrative procedures to secure the reliability 
of evidence from listening devices. 

Ob ject of the Invention 

It is the object of the invention to provide a computer peripheral, termed the 
"DataFreeze", which will automatically secure evidence in a form which will be 
accepted as being electronically "bagged and tagged" - that is to say the evidence will 
be encapsulated in a form which establishes precisely when it was obtained and 
where it was obtained. 

According to the invention there is provided a device for use in validating recorded 
digitised voice, video, telemetry or computer generated information or the like, 
characterised in that the device includes a tamper-proof unit accommodating means 
for identifying the date, time and serial number of the device and the private key of a 
Public key encryption pair allocated to the device, the device being arranged in 
operation to produce a data file for recording on standard recording media having a 
header and an enciphered message, the recorded message being enciphered with the 
date, time and serial number of the device and the header containing the private key 
encrypted date, time and serial number used in the cipher process. 

According to the invention there is provided a process for use in validating recorded 
digitised voice, video, telemetry or digital computer generated information or the 
like, in which the process produces a data file of the recorded information enciphered 
with the date, time and serial number of the recording equipment and forms a file 
header containing the private key encrypted date, time and serial number used in the 
enciphering process. 

According to a feature of the invention the cipher process and encrypted header also 
include geophysical location information indicative of the actual location of the 
device making the validated recording. 

The process of the invention may be performed by a computer program which may be 
supplied on a suitable carrier. 

The equipment of the invention performs these operations in real-time without adding 
any significant delay to the recording of the data, without the need for a powerful 
encryption microprocessor and without the need for skilled personnel. Once the 
recording has been secured and encapsulated by the DataFreeze hardware the 
resulting disk, tape, electronic recording, magnetic recording or optical recording is 
re-playable on any conventional replay device for the replay of that type of media 
running special DataFreeze deciphering software. Consequently, in one possible 
implementation, a prosecuting authority could supply to an accused's lawyers with a 
CDROM produced by the arresting officers on a DataFreeze peripheral which was 
readable by the accused's lawyers on their conventional windows personal computer 
with the DataFreeze decryption/deciphering software running. No additional 
hardware would be required by the defence lawyers. The date, time, CURSOR 
location and serial number of the DataFreeze peripheral used to make the recording 
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would however always be available to the defence in confirmation of when, where 
and on what equipment the data had been frozen by the police or security forces. 

Outside of the police and security services a DataFreeze peripheral could 
be used as an archival storage device in banking and financial services or 
as a tachograph or other work monitoring device in medical and in health 
and safety applications. 

Description of one embodiment of the invention 

The manufacturer, DataFreeze, generates a Public Key encryption pair for 
each unit to be manufactured - the public key being published as an X500 Digital 
Certificate and the private key being kept secret. Each private key is built into a 
custom chip in a tamper-proof module. Inside a DataFreeze peripheral is the custom 
chip in a tamper-proof module which is connected to a standard recording device (eg 
A CDROM writer or a floppy disk drive). The custom chip contains a geophysical 
positioning system ( in one implementation of the invention a CURSOR 
positioning system), a real-time clock and a unique serial number. The output from 
these three devices, in one possible implementation, is converted into a 512 bit 
number with the left portion containing the data and time (D), the middle containing 
the positioning system's location (the CURSOR location) (C) and the right hand 
portion containing the Serial Number (S). 

Within the custom chip the 512 bit number is encrypted using the private key of the 
particular unit The resulting encrypted stream is called "H-Data". Because the 
volume of data (512 bits) being encrypted by the private key is very small, the 
vulnerability of the data to cryptoanalysis to discover the private key is very low. To 
start a recording session the DataFreeze unit receives data from an external source 
(e.g. a computer or a listening device). The DataFreeze unit notes the "H-Data" and 
writes this to the recording media as a header to the recording, padding any spare 
space in the header with zeros. 

The DataFreeze unit now takes the first block of data received from the external 
source. It performs three simple Caesar cipher operations on the block of data * e.g. 
Multiplying the block of data by the new date and time and adding the cursor location 
and the square of the serial number . 

ie DataFreeze block =(Pata]*Dl) + C+(S*S) 

For the next block of data it performs a different calculation • eg Multiplying the 
block of data by the CURSOR location, adding the square of the new date and time 
(which will have increased a defined amount during the writing of the first block) and 
adding the serial number. 

ie DataFreeze block =(Pata]*C) + (D2*D2)+S 

For the next block of data it performs a different calculation • eg Multiplying the 
block of data by the square of the serial number, adding the square of the CURSOR 



^l 0 "^ new ^ time (which will have increased a defined 

amount dunng the writing of the second block). 

ie DataFreeze block -»(Pata]*S*S) + D3+C 

For the fourth block of data the DataFreeze peripheral would reverts to 
enciphering using the algorithm used for the first block of data. 

ie DataFreeze block ^PataJ^EW) + C+S 

Further variations on this manipulation are possible. However particular care must be 
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Such simple mathematical processes would not lead to any material overhead in the 
outputting of the data. It would also be possible to 'fast forward' and '"reverse" along a 
DataFreeze recording by noting the block number from the header and cycling 
through to the predicted algorithm, date and time, CURSOR location and serial 
number. 

With sufficient computing power and time it would always be possible to decipher a 
DataFreeze recording which had lost its header by trying various combinations of 
date, location and serial number against the fragment of the recording However 
because the H-Data is digitally signed using the private key of the DataFreeze X500 
digital certificate of the particular unit and the private key is located within a tamper 
proof module within the CURSOR unit along with the real time clock it would not be 
possible to create a fabricated DataFreeze recording which predated the original since 
this would require the forgery of the ciyptographically secure H-data in the header. 

A more sophisticated version of the invention could include a "digital fingerprint" in 
the header along with the H-Data. This would be produced by simultaneously passing 
a duplicate of the entire data session through a one-way algorithm while it was being 
written to disk to produce a unique value known as a message digest which would, in 
effect, be a "digital fingerprint" of the session. This message digest could then be 
encrypted by the DataFreeze unit's private key and written to the header 
field of the recording. When decrypted in software by using the Data Freeze unit's 
X500 public key this message digest could be used to confirm the integrity and 
coherence of the recording of the data session. 

A further version of the invention could contain a dummy or non-functional 
CURSOR unit located in the tamper-proof module. This would not determine the 
location of the unit but would simply give out a default location for inclusion in the 
H-Data. The DataFreeze unit would thus only stamp the data with the time and 
specific unit and the default location. Such a unit would have two main uses: Use in 
situations where it was not possible to get a location signal and use in situations 
where the cost of the DataFreeze unit needed to be low and the location information 
was not considered to be important. 

In yet a further version of the invention the geophysical information may be used to 
control the use of the recording equipment by having an inbuilt location identifier 
which is programmable and is used to prevent use of the recording equipment if it is 
located outside the geophysical area indicated by the inbuilt location identifier. 

A device in accordance with the invention is shown solely 
by way of example on the accompanying drawing. The various 
parts of the device are described and connected as shown 
on the drawing . 
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